Feature #1224
closedAllow newlines in bpf filters in files specified by the -F flag
Description
Currently if you create a bpf filter as a file, the entire filter must be specified on a single line or it will not compile correctly. This can make managing complex filters somewhat unwieldy. I tried escaping the newline but that didn't work.
Updated by Peter Manev almost 10 years ago
I am not sure what do you mean.
I just did a blogpost about bpf filters -
http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html
This is the BPF that I used in a file (there are new lines in there) -
root@snif01:/var/log/suricata# cat /home/pmanev/test/bpf-filter ( (ip and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667) or ( ip and tcp dst port 80 or (ip and tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))) or ((vlan and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667) or ( vlan and tcp dst port 80 or (vlan and tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))) ) root@snif01:/var/log/suricata#
and it worked fine in my case.
Is this the same issue or I misunderstood?
Updated by Cooper Nelson almost 10 years ago
It didn't work last time I tried it. As mentioned, it seems to work now so go ahead and close out the ticket.
Updated by Peter Manev almost 10 years ago
Before we do that - can we pinpoint what was the reason it did it run correctly the last time? Just to confirm if there is no corner case or something.